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^ have less time complexity in comparison with the existing schemes. 



Abstract 

In this paper, we propose a blind signature scheme and three practical educed schemes based on elliptic curve 
discrete logarithm problem. The proposed schemes impart the GOST signature structure and utilize the inherent 
advantage of elliptic curve cryptosystems in terms of smaller key size and lower computational overhead to its 
counterpart public key cryptosystems such as RSA and ElGamal. The proposed schemes are proved to be secure and 
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■• I. Introduction 

■^ 

!r^ Blind signature is a form of digital signature in which the message is blinded before it is signed, in order to allow 

\ I the requester to get a signature without giving the signer any information about the actual message or the resulting 

signature. Blind signatures are used to build practical offline and onUne untraceable electronic cash schemes fTl-Q 
and widely employed in privacy -related cryptographic protocols, such as electronic election systems |5|. The paper 
analogy to the blind signature is enclosing a ballot in a carbon paper lined envelope; In this way, the signer does 
not view the message content, and also everyone can later check the validity of the signature. 

Several blind signature schemes are proposed in the literature. The first scheme, proposed by Chaum |J6J, was 
based on RSA signature. In 17), Okamoto proposed the blind Schnorr signature and Pointcheval et al. proved its 
security in |[8]. In 1995, Camenisch et al. proposed a bUnd signature scheme based on the Discrete Logarithm 
Problem (DLP) 19) and later, in 2005, Wu et al. proved its untraceability pO) . Pointcheval developed a blinding 
scheme for Okamoto's signature in pT) . In 112) , Huang et al. presented a blind signature scheme based on GOST 
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signature, which is the Russia's digital signature algorithm p3) . In p4) , an efficient blind signature scheme is 
presented based on the elliptic curve discrete logarithm problem. 

In this paper, we propose a GOST-like blind signature scheme and three efficient educed schemes based on elliptic 
curve discrete logarithm problem. The schemes utilize the inherent advantage of elUptic curve cryptosystems in terms 
of smaller key size and lower computational overhead compared to its counterpart public key cryptosystems such 
as RSA and ElGamal. The schemes are proved to be correct and secure. They can be used in various cryptographic 
protocols where the anonymity of the requester is required. 

The remainder of this paper is organized as follows. In Section 2, basic concepts of elliptic curves are presented. 
The GOST digital signature scheme is described in Section 3. In Section 4, the generalized scheme and three other 
educed schemes are elaborated and the security and performances are discussed. Finally, Section 5 concludes the 
paper. 

II. Elliptic Curves over Finite Fields 

The elUptic curve analogues of DLP-based schemes was independently proposed by KobUtz p3) and Miller p6) , 
in 1985. Since then, several cryptosystems are developed based on elliptic curve computations. 
A non-super singular elliptic curve E over a finite field Fq is as follows: 

E : y"^ ^ x^ + ax + b mod q (1) 

where Aa^ + 27b mod q ^ 0. The point P = {x,y), where {x,y) & Fq x Fq satisfy Equation [T| together with a 
point at infinity, denoted by O, form an abelian group {E, +,0) whose identity element is O. 

The negative of P = {xp, yp) is — P = (.Tp, — j/p). Let P = (xp, yp) and Q — (xq, yq) be two distinct points on 
an elliptic curve such that P 7^ — Q. Then P + Q = {xr, yr), where: 

Xr = {s ~ Xp — Xq) mocl q 

Vr = (-J/p + s{xp - Xr)) mod q (2) 

where s — ^''~^'' mod q. 

P Q 

Doubling a point P, in case of yp 7^ 0, results in 2P = {xr, yr), where: 

Xr — {s — 2xp) mod q 

Vr = (-J/p + s{xp - Xr)) mod q (3) 

where s — -^ — mod a. 

Definition: Let E be an elliptic curve over a finite field Fq and let P £ E{Fq) be a point of order n. Given another 
point Q G E{Fq), the Elliptic Curve Discrete Logarithm Problem (ECDLP) is to find the integer d e [0,n — 1], 
such that Q = dP pT). 
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III. The GOST Signature Scheme 



In this section, we describe the GOST digital signature scheme |T3). 

Let p and q be large primes that satisfy q\p — 1, and g be an element in Z* with order q. Let H : {0, 1}* -^ Zq 
be a secure hash function. The signer's secret and public key pau" is (x, y), where x E Zg and y = g^ mod p. Let 
m be the message to be signed. 

Signing: The signer chooses random number k E Zq and computes: 

r — {g mod p) mod q 

s = xr + kH{m) mod q (4) 



The signature on message m is (r, s). 
Verification: The verifier computes: 



V = H{mY^ mod q 
Zi — sv mod q 
^2 — {q — f)v mod q 

u = {g^^y^^ mod p) mod q (5) 



and checks whether u = r. 



IV. The Proposed GOST-like Blind Signature Scheme 

In p2| , a blind signature scheme based on the GOST signature is presented. Here, we propose a GOST-like 
blind signature scheme based on ECDLP. 

There are two participants in a blind signature scheme: a signer and a group of requesters. Initially, the signer 
publishes the necessary information. Then, the user sends a blinded version of the message to the signer. The signer 
signs the blinded message, and sends the result back to the user. Afterwards, the user extracts the signature. At the 
end, the validity of the signature is verified. The details of these phases are described below. 

InitiaUzation: First, the curve parameters must be agreed upon by signer and requester. Let E be the used elliptic 
curve over Fq and suppose that the number of Fg-rational points on E is divisible by a sufficiently large prime 
n > 2^^". Let G be a point on E of order n. Signer must have a key pair suitable for elliptic curve cryptography, 
consisting of a private key d (a randomly selected number in the interval [l,n — 1]) and a public key Q where 
Q = dG. 

Then the signer chooses random number k in the interval [1, ?i — 1], computes R ~ fcG = {xr, j/r) and sends R 
to the requester. 

Requesting: The requester chooses random numbers ti, ^2 and t^ in the interval [l,n — 1] and computes: 

X = (tiR + tzG + tsQ) = (tik + t2+ t3d)G (6) 

m' = Xrti{m~^ + ts)'^ (7) 
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Signer Requester 




Selects the private key, d, randomly. 




Declares Q = dG as the public key. 


Initialization 


Selects k randomly and computes R = fcG. 

R 

^ 




Chooses t^, tj and tg randomly, 




Computes: 


Requesting 


X = (tiR + tzG + tgQ) 




m' 

< 




Computes s' = dx^ + km' 


Signing 


SI 








Computes s = m.{t^s'm.'~'^ + tj)- 


Extraction 


Declares signature (X, s) as public. 


Verification 


If sG = mX + Q then validate the signature; otherwise reject. 



Fig. 1. The proposed blind signature sclieme. 



then sends m! to the signer, m! is an encrypted version of the message, i.e. the blinded message. 
Signing: Signer computes the signature of the blinded message as: 

s — dxr + km' 



(8) 



and sends the result back to the requester. 

Extraction: Requester extracts the signature of the message from the signature of the blinded message, by 
computing: 



s — m{tis'm + ^2) 

and declares the pair (X, s) as the signature on m. 

Verification: The legitimacy of the signature (X, s) for the message m is verified by examining: 

sG = mX + Q. 

The various phases of the proposed scheme are summarized in Figure 1 . 



(9) 



(10) 
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The correctness can be easily proved as follows: 

sG = m{tis'm'^^ + t2)G 

= m{ti{dxr + km')x^^t^^{ni^^ + ts) + t2)G 

^ m{tik + t2 + t3d)G + dG 

= mX + Q. (11) 

A. Security of the Proposed Scheme 

The security of blind signature schemes is defined by unforgeability and blindness. Here, we discuss these 
properties of the proposed blind signature scheme. 

Unforgeability: Forgery is an attack trying to fabricate a digital signature for a message without having access 
to the respective signer's private key. The security requirement of unforgeabiUty of digital signatures is also called 
non-repudiation. 

To forge a valid blind signature, the adversary should obtain the signature s' or the signer's private key d to 
fabricate the signature s' = dxj. + km! . It is impossible to obtain d from the public key Q using the equation 
Q = dG, because it is based on ECDLP. To forge s', a dishonest requester (as an adversary) must calculate 
dxr + km! . The requester knows the parameters Q and R and can compute x^Q + tti'R, which is equal to s'G. 
Again finding s' from s'G is impossible, because it is based on ECDLP. Thus, the unforgeability of the scheme is 
assured. 

Blindness: A signature scheme is called blind, if the signer's view and the resulting signature are statistically 
independent. The signer's view is the set of all values that the signer gets during the execution of the signature 
issuing protocol, which in the proposed scheme is the tuple (R, ?7i',s'). 

The three blinding functions are: 

X = (iiR + i2G + t3Q) 
m' — Xrti{m^ +^3)^ 
s = m{tis'm'^^ +12) (12) 

It can be seen that, there always exists a tuple of random numbers (ii, ^2,^3) which maps any (R, m' ,s') to any 
(X, s), because there are three random parameters in the three blinding functions. Thus, the scheme is blind. 

B. Educed Schemes 



As in p2) , three educed schemes are derived from the generalized scheme. In fact, two random parameters 
are sufficient to provide blindness. The tuple of random parameters (^1,^2, ^3) for the three educed schemes are 
(1,^2,^3), (^1,0,^3) and (ii,i2,0). The security of the educed schemes is discussed below. 

• Case I: ti = 1 
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In this case,the blinding functions are: 

X = (R + faG + taQ) 

m! = Xj.{mr +^3)^ 

s = m(s'm'"^ +^2) (13) 

The correctness and the unforgeabiUty are the same as the generalized scheme and the blindness can be proved 
as follows. 

Let [xr, m' , s') be the data appearing in the signer's view during the execution of the signature and (X, s, m) 
be the corresponding data at the verifier It is sufficient to show that there exist a pair of random numbers 
{t2,H) that maps (a;r.,TOi,Si) to {Xj,Sj,mj), for i,j e {0, 1}. We define: 

. —1 /—I / 

h — rrij Sj — nij^ s^ 

tz = m^ Xn — rrij^ (14) 

By using Equations 6, 8, 10 and 14, we have: 

R^ + taG + fsQ = R< + ("^^^«J - rn'^^s'i)G + {m!^^Xr, - mf^)il 

= R,j + rrij^ SjG — ra'^ (s^ — dx^JG — rrij^ Q 

= Ri + rrij^ {mj\j + Q) — m^ {ki'm^)G — nij^ Q 

= R, + Xj - kiG 

= X, (15) 

Thus, the tuples (x^^jTO^jS^ and {Xj,Sj,mj) have exactly the same relation defined by the signature issuing 

protocol, thus the scheme is blind. 

Case II: ta = 

In this case, the blinding functions are: 

X=(fiR + t3Q) 
m' = Xrti{m^^ + t^)^^ 
s — tims'm'^ (16) 

The correctness and the unforgeability are also the same as the generalized scheme and the blindness is proved 
similar to the case I, by defining: 



h = Si m^s^nij 



1 I -1 
h = '™7^(a;r,Sj Sj - 1) (17) 



Case III: tg = 
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TABLE I 

Definition of Notations 



Notation 



Definition 



'mul(p) 
^add(p) 



Time complexity of a multiplication 
Time complexity of an addition 



'exp(p) 



Time complexity of an exponentiation 



-^ inv(p) 



Time complexity of an inversion 



'ec-mul{p) 



Time complexity of an elliptic curve scalar multiplication 



'ec-add{p) 



Time complexity of an elliptic curve points addition 



In this case, the blinding functions are: 



X^{tiR + t2G) 
m! — Xrtim 



(18) 



The correctness and the unforgeability are also the same as the generalized scheme and the blindness is proved 
similar to the case I, by defining: 



ti = m[xri 



h = Tn- [Sj - Xr 



^'s') 



(19) 



C. Performance of the Proposed Schemes 

The time complexity of the proposed schemes is compared with a recently proposed ECDLP-based blind signature 
IT4) and the scheme proposed by Camenisch et al. 19), which is declared to have superior performance than other 
DLP-based bUnd signatures | [T0| . 

Tablellldefines the notations. In this table, the sub-index (p) denotes a prime field of order 2^. The time complexity 
of various operation units in terms of the time complexity of a modular multiplication is illustrated in Table III] fT^ . 
Comparisons are based on the fact that an elliptic curve E{Fq) with a point P e E{Fq) whose order is a 160-bit 
prime offers approximately the same level of security as DSA with a 1024-bit modulus p [19J . 
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TABLE II 

Unit Conversion of Various Operations in Terms of T, 



mul(1024) 



Time Complexity of an Operation Unit 


Time Complexity in Terms of Multiplication 


Texp(1024) 


240 X r„uL(1024) 


Tadd(1024) 


Negligible 


TiNV(1024) 


3 X T„uL(io24) 


Tec-mul(16()) 


29.3 X T„tjL{i024) 


^EC-ADD(160) 


0.12 X T'„yL{1024) 


^MDL{160) 


0.024 X T„uL{i024) 


^ADD(160) 


Negligible 


^INV{160) 


0.073 X T„uL(io24) 



TABLE 111 

Time Complexity of Different Schemes in Unit of T. 



MUL(1024) 



Sclieme 



Rough Estimation of the Computation Cost 



Camenisch 9 



1696 X T„uL(io24) 



ECDLP-based 14 



206 X T„uL(i024) 



206 X T'„uL(i024) 
176 X rM„L(1024) 



The proposed scheme 



Educed scheme, Case 1 



Educed scheme. Case II 



176 X rM„L(1024) 



176 X T„uL(io24) 



Educed scheme. Case 111 



The detailed costs of the schemes are as follows: 



■^Camenisch ||9) ~ '^TexP(1024) + 2r/Ary(i024) + 101^/^^(1024) + '^TadD(1024) 

'^ECDLP-Based |TT| ~ '^Tec-mul(i6q) + 3^ec-add(i60) + Tinv(i6q) + ^Tmul(160) + 3T4_d_d(i6o) 

-^Proposed ~ '^TeC-MUL{160) + 'iTEC-ADD(im) + 3T/7vy(l60) + 7Tm;7L(160) + 3r4DD(160) 



r, 



Educed I 



m 



EC-MU{16a) 



■m 



EC-ADD 



(160) + 377Arv/(i60) + 5Tj\,f ;7L(160) + ^TadD(160) 



-%duced II ~ ^Tec-mul(i6q) + '^Tec-add(i6o) + 3T/Ary(i60) + 7Tjv,/[/l(i60) + '^Tadd(iw) 

-^Educed III ~ ^T^EC-MULiwa) + "^Tec-addhw) + ^7^^(160) + 7Tm[/l(i6o) + 2r4_D_D(i6o) (20) 

Table 3 provides a rough estimation of the overall time complexity of different schemes in terms of the required 
execution time for a modular multiplication. While maintaining the security, the proposed scheme is more efficient 
as compared to the scheme proposed by Camenisch et al. |[9| and has the same complexity as the ECDLP-based 
scheme proposed in p4) . Also, the educed schemes are about 15% more efficient than the generalized one. 

V. Conclusion 

This paper suggested a secure and efficient GOST-like blind signature scheme and three practical educed schemes 
based on the Elliptic Curve Discrete Logarithm Problem. The schemes utilize the inherent advantage of Elliptic 
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Curve Cryptosystems in terms of smaller key size and lower computational overhead compared to its counterpart 
public key cryptosystems such as RSA and ElGamal. We proved the security of the proposed schemes is based on 
ECDLP and the time complexity is lower than the existing blind signature schemes. The schemes are applicable in 
the cryptographic services that emphasize the privacy of users, such as electronic voting over internet and untraceable 
payment services. 
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